Novel classes of side channels and covert channels

When assessing the security of security-critical systems, it is crucial to consider conceptually new attacks, as appropriate countermeasures can only be implemented against known threats. Consequently, in this thesis we explore new classes of attacks and evaluate countermeasures. Our contribution is three-fold. We identify two previously unknown side channel attacks, i.e., attacks that exploit unintended information leakage. First, we consider optical emanations, i.e., the unavoidable emanation of every monitor. We demonstrate how to exploit tiny reflections in stationary objects and the human eye, and even diffuse reflections in objects such as the user';s shirt. Second, we study acoustic emanations of dot-matrix printers and show that the printed text can be reconstructed from a recording of the sound emitted while printing. Furthermore, we demonstrate a conceptually new covert channel: whereas side channels leak information unintentionally, in a covert channel there is an explicit sender that cooperates with the receiver. We present a new covert channel in the peer-reviewing process in scientific publishing that reveals the reviewer';s identity to the author. We additionally expose several related problems in the design of the PostScript language.Das Aufdecken neuer Arten von Angriffen ist wichtig zur Verbesserung der Sicherheit von sicherheitskritischen Systemen, da nur für bekannte Angriffe Gegenmaßnahmen ergriffen werden können. Deshalb untersuchen wir in dieser Arbeit neue Arten von Angriffen sowie geeignete Gegenmaßnahmen. Die Arbeit gliedert sich in drei Teile. Zunächst demonstrieren wir zwei neue Seitenkanalangriffe, also Angriffe die unbeabsichtigte Informationslecks ausnutzen. Zum Einen betrachten wir optische Abstrahlungen von Monitoren. Wir zeigen, dass das Bild des Monitors aus Reflexionen in verschiedenen Objekten rekonstruiert werden kann: aus winzigen Reflexionen in vielen stationären Objekten sowie im menschlichen Auge, und sogar aus diffusen Reflexionen beispielsweise auf dem Hemd eines Nutzers. Zum Anderen untersuchen wir die akustischen Abstrahlungen von Nadeldruckern und zeigen, dass der gedruckte Text aus einer Aufnahme der Druckgeräusche rekonstruiert werden kann. Des Weiteren demonstrieren wir einen neuen verdeckten Kanal: Während Seitenkanäle normalerweise durch unvorsichtige Implementierung entstehen, werden die Daten auf einem verdeckten Kanal absichtlich übertragen. Wir demonstrieren einen neuen verdeckten Kanal im Peer-Review-Prozess zur Begutachtung wissenschaftlicher Publikationen, welcher die Identität der Gutachter offenlegt. Darüberhinaus weisen wir auf mehrere grundlegende Probleme im Design der PostScript Sprache hin

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Guideline - Building Perimeter Protection: Design Recommendations for Enhanced Security against Terrorist Attacks

The purpose of the current document is to provide guidance to security and law enforcement officials, building/site owners, venue organizers, state organizations, engineers and other stakeholders that are in charge of securing facilities and critical infrastructures against the growing international terrorist threat. The focus of the report narrows down into recommendations for a robust and usable approach for the physical protection of infrastructures against this borderless phenomenon. It addresses shortcomings encountered in the design of such security solutions and aims at producing a simple, self-contained practical guide to enable the selections and installation of elements that are able to stop and/or deter potential terrorist attacks. A detailed analytical procedure is illustrated for identifying the weaknesses of potential terrorist targets and assess the relevant risk for different terrorist tactics. Advice is provided for the introduction of protection measures against both external and internal explosions and design methodologies are presented for minimizing the likelihood for the development of a progressive collapse mechanism. Moreover, specialized perimeter physical protection measures are proposed that may successfully restrict unauthorized vehicle and intruder access, supplemented by the employment of modern digital technologies, such as video surveillance, smart sensors and video analytics. The novel and emerging threat landscape is also addressed, such as the malicious use of Unmanned Aircraft Systems, requiring new response strategies that call for the adoption of state-of-the-art counter technologies.JRC.E.4-Safety and Security of Building

HandSight: A Touch-Based Wearable System to Increase Information Accessibility for People with Visual Impairments

Many activities of daily living such as getting dressed, preparing food, wayfinding, or shopping rely heavily on visual information, and the inability to access that information can negatively impact the quality of life for people with vision impairments. While numerous researchers have explored solutions for assisting with visual tasks that can be performed at a distance, such as identifying landmarks for navigation or recognizing people and objects, few have attempted to provide access to nearby visual information through touch. Touch is a highly attuned means of acquiring tactile and spatial information, especially for people with vision impairments. By supporting touch-based access to information, we may help users to better understand how a surface appears (e.g., document layout, clothing patterns), thereby improving the quality of life. To address this gap in research, this dissertation explores methods to augment a visually impaired user’s sense of touch with interactive, real-time computer vision to access information about the physical world. These explorations span three application areas: reading and exploring printed documents, controlling mobile devices, and identifying colors and visual textures. At the core of each application is a system called HandSight that uses wearable cameras and other sensors to detect touch events and identify surface content beneath the user’s finger. To create HandSight, we designed and implemented the physical hardware, developed signal processing and computer vision algorithms, and designed real-time feedback that enables users to interpret visual or digital content. We involve visually impaired users throughout the design and development process, conducting several user studies to assess usability and robustness and to improve our prototype designs. The contributions of this dissertation include: (i) developing and iteratively refining HandSight, a novel wearable system to assist visually impaired users in their daily lives; (ii) evaluating HandSight across a diverse set of tasks, and identifying tradeoffs of a finger-worn approach in terms of physical design, algorithmic complexity and robustness, and usability; and (iii) identifying broader design implications for future wearable systems and for the fields of accessibility, computer vision, augmented and virtual reality, and human-computer interaction

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Methods and Techniques for Dynamic Deployability of Software-Defined Security Services

With the recent trend of “network softwarisation”, enabled by emerging technologies such as Software-Defined Networking and Network Function Virtualisation, system administrators of data centres and enterprise networks have started replacing dedicated hardware-based middleboxes with virtualised network functions running on servers and end hosts. This radical change has facilitated the provisioning of advanced and flexible network services, ultimately helping system administrators and network operators to cope with the rapid changes in service requirements and networking workloads. This thesis investigates the challenges of provisioning network security services in “softwarised” networks, where the security of residential and business users can be provided by means of sets of software-based network functions running on high performance servers or on commodity devices. The study is approached from the perspective of the telecom operator, whose goal is to protect the customers from network threats and, at the same time, maximize the number of provisioned services, and thereby revenue. Specifically, the overall aim of the research presented in this thesis is proposing novel techniques for optimising the resource usage of software-based security services, hence for increasing the chances for the operator to accommodate more service requests while respecting the desired level of network security of its customers. In this direction, the contributions of this thesis are the following: (i) a solution for the dynamic provisioning of security services that minimises the utilisation of computing and network resources, and (ii) novel methods based on Deep Learning and Linux kernel technologies for reducing the CPU usage of software-based security network functions, with specific focus on the defence against Distributed Denial of Service (DDoS) attacks. The experimental results reported in this thesis demonstrate that the proposed solutions for service provisioning and DDoS defence require fewer computing resources, compared to similar approaches available in the scientific literature or adopted in production networks

The Cloud-to-Thing Continuum

The Internet of Things offers massive societal and economic opportunities while at the same time significant challenges, not least the delivery and management of the technical infrastructure underpinning it, the deluge of data generated from it, ensuring privacy and security, and capturing value from it. This Open Access Pivot explores these challenges, presenting the state of the art and future directions for research but also frameworks for making sense of this complex area. This book provides a variety of perspectives on how technology innovations such as fog, edge and dew computing, 5G networks, and distributed intelligence are making us rethink conventional cloud computing to support the Internet of Things. Much of this book focuses on technical aspects of the Internet of Things, however, clear methodologies for mapping the business value of the Internet of Things are still missing. We provide a value mapping framework for the Internet of Things to address this gap. While there is much hype about the Internet of Things, we have yet to reach the tipping point. As such, this book provides a timely entrée for higher education educators, researchers and students, industry and policy makers on the technologies that promise to reshape how society interacts and operates

Image and Video Forensics

Nowadays, images and videos have become the main modalities of information being exchanged in everyday life, and their pervasiveness has led the image forensics community to question their reliability, integrity, confidentiality, and security. Multimedia contents are generated in many different ways through the use of consumer electronics and high-quality digital imaging devices, such as smartphones, digital cameras, tablets, and wearable and IoT devices. The ever-increasing convenience of image acquisition has facilitated instant distribution and sharing of digital images on digital social platforms, determining a great amount of exchange data. Moreover, the pervasiveness of powerful image editing tools has allowed the manipulation of digital images for malicious or criminal ends, up to the creation of synthesized images and videos with the use of deep learning techniques. In response to these threats, the multimedia forensics community has produced major research efforts regarding the identification of the source and the detection of manipulation. In all cases (e.g., forensic investigations, fake news debunking, information warfare, and cyberattacks) where images and videos serve as critical evidence, forensic technologies that help to determine the origin, authenticity, and integrity of multimedia content can become essential tools. This book aims to collect a diverse and complementary set of articles that demonstrate new developments and applications in image and video forensics to tackle new and serious challenges to ensure media authenticity

Ubiquity

From its invention to the internet age, photography has been considered universal, pervasive, and omnipresent. This anthology of essays posits how the question of when photography came to be everywhere shapes our understanding of all manner of photographic media. Whether looking at a portrait image on the polished silver surface of the daguerreotype, or a viral image on the reflective glass of the smartphone, the experience of looking at photographs and thinking with photography is inseparable from the idea of ubiquity—that is, the apparent ability to be everywhere at once. While photography’s distribution across cultures today is undeniable, the insidious logics and pervasive myths that have governed its spread demand our critical attention, now more than ever

Cryptanalysis of the Fuzzy Vault for Fingerprints: Vulnerabilities and Countermeasures

Das Fuzzy Vault ist ein beliebter Ansatz, um die Minutien eines menschlichen Fingerabdrucks in einer Sicherheitsanwendung geschützt zu speichern. In dieser Arbeit werden verschiedene Implementationen des Fuzzy Vault für Fingerabdrücke in verschiedenen Angriffsszenarien untersucht. Unsere Untersuchungen und Analysen bestätigen deutlich, dass die größte Schwäche von Implementationen des Fingerabdruck Fuzzy Vaults seine hohe Anfälligkeit gegen False-Accept Angriffe ist. Als Gegenmaßnahme könnten mehrere Finger oder sogar mehrere biometrische Merkmale eines Menschen gleichzeitig verwendet werden. Allerdings besitzen traditionelle Fuzzy Vault Konstruktionen eine wesentliche Schwäche: den Korrelationsangriff. Es ist bekannt, dass das Runden von Minutien auf ein starres System, diese Schwäche beheben. Ausgehend davon schlagen wir eine Implementation vor. Würden nun Parameter traditioneller Konstruktionen übernommen, so würden wir einen signifikanten Verlust an Verifikations-Leistung hinnehmen müssen. In einem Training wird daher eine gute Parameterkonfiguration neu bestimmt. Um den Authentifizierungsaufwand praktikabel zu machen, verwenden wir einen randomisierten Dekodierer und zeigen, dass die erreichbaren Raten vergleichbar mit den Raten einer traditionellen Konstruktion sind. Wir folgern, dass das Fuzzy Vault ein denkbarer Ansatz bleibt, um die schwierige Aufgabe ein kryptographisch sicheres biometrisches Kryptosystem in Zukunft zu implementieren.The fuzzy fingerprint vault is a popular approach to protect a fingerprint's minutiae as a building block of a security application. In this thesis simulations of several attack scenarios are conducted against implementations of the fuzzy fingerprint vault from the literature. Our investigations clearly confirm that the weakest link in the fuzzy fingerprint vault is its high vulnerability to false-accept attacks. Therefore, multi-finger or even multi-biometric cryptosystems should be conceived. But there remains a risk that cannot be resolved by using more biometric information of an individual if features are protected using a traditional fuzzy vault construction: The correlation attack remains a weakness of such constructions. It is known that quantizing minutiae to a rigid system while filling the whole space with chaff makes correlation obsolete. Based on this approach, we propose an implementation. If parameters were adopted from a traditional fuzzy fingerprint vault implementation, we would experience a significant loss in authentication performance. Therefore, we perform a training to determine reasonable parameters for our implementation. Furthermore, to make authentication practical, the decoding procedure is proposed to be randomized. By running a performance evaluation on a dataset generally used, we find that achieving resistance against the correlation attack does not have to be at the cost of authentication performance. Finally, we conclude that fuzzy vault remains a possible construction for helping in solving the challenging task of implementing a cryptographically secure multi-biometric cryptosystem in future